Re: GPG USAGE HOWTO 1 (was: Re: AM report on Thierry Bourrillon)
Peter Palfrader wrote:
>You miss the point, imagine the following situation:
>
>We meet, I show you my ID and give you the fingerprint.
>My key has two IDs:
> Peter Palfrader <weasel@debian.org>
> Peter Palfrader <sirpeter@gmx.net>
>
>You sign both and send the key to my primary address or upload it to the
>keyserver.
>
>Congratulations, you have just allowed me to impersonate Peter Palfrader
><sirpeter@gmx.net>, who happens to be an all together different Peter
>Palfrader than me.
>
>Now If I sign mails with that key ppl will trust that I'm the
>sirpeter@gmx.net because after all _you_ signed that ID.
>
>If you had verified that I controlled sirpeter@gmx.net, this could never
>have happened.
How can I _verify_ that? Suppose you have temporarily spoofed gmx.net;
I "verify" that you are there and then you unspoof it.
All my signature verifies is that I personally met someone who presented
a particular key.
Do not put more trust in a web of trust than it deserves and do not trust
it to guarantee what it cannot.
--
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"But as many as received him, to them gave he power to
become the sons of God, even to them that believe on
his name." John 1:12
Reply to: